Earlier today, I presented at Boston Code Camp 21 on Hacking Your Own Website. In the presentation, I took the audience through a demonstration of my approach to using BurpSuite to enumerate a website and to find potential exploitation points. I also briefly went into some of the other functionality that Burp offers such as the Intruder and Repeater tools. I also briefly demonstrated the scanner. My thought was that they would most likely be using the free version for a bit before purchasing a license (if at all), so I wanted to make sure I got enough of the other functionality in there.
For the demonstration I used the Drunk Admin Web Hacking Challenge
VMWare image as a target.
Demonstrations can eat up time so I wasn’t able to get through the entire challenge set. I was taking questions throughout so that slowed it down a bit, but I would rather answer questions than just get through the content and not have anyone coming away from the presentation learning anything.
I think it is important for security people to break out and present at (or just attend) conferences that are primarily focused on security. This makes us much more rounded individuals as well as allowing us to transfer knowledge to developers, managers and others who may not get to the security conferences or even better, disseminate proper advice and knowledge to those that may only be getting their security information through a vendor or what they read on some of the generalist news sites.
Overall I thought it went well and had a good time with it.